Security

Hello,

 

I have a customer who asked me, if it is possible to add a 2nd factor to MAC authentication, as MAC addresses are quite easy to spoof. I tried an NMAP Scan, but there was no distinct result for some devices. As far as I know, snmp cannot be triggered from a service an runs only on a network scan.

 

I have red that a competing product (arp-guard) can check for https certificates. The cert is trusted on first use and then arp-guard checks against this certificate.

 

Is there a similar way in ClearPass?

 

Regards,

 

Marian

Why aren’t you using 802.1X? MAC “authorization” is not authentication.

Sorry I did not make thes clear. dot1x is used for all devices able to use it, but there are phones, printers and old APs without a supplicant.

MFA is a user construct. So you just simply want additional profiling?

I want to know, if there is something that can be taken into account in addition to the MAC auth that is not easy to forge.

 

One idea would be a http server certificate, which is available on many devices without dot1x supplicant.

 

I guess in terms of ClearPass that would be additional profiling.

Unfortunately, no, as you would need a database to compare against.

That is bad, but thank you for the clarification.

Why is that bad? An arbitrary server certificate with no binding is just as ephemeral as a MAC address.

The certificate must not be arbitrary, that is true. But with a trust on first use concept, or a learning port, ClearPass would have a certificate specific to this device and can then check against this certificate.

 

If one can easily retrieve this certificate from the device, this approach would be useless. But if not one would have something to verify and this can not be forged easily.

I would recommend working with your ClearPass partner to look at all of the profiling options available for headless devices.

I use profiling right now to identify devices for MAC auth on wired authentication. You can also use the "Conflict" condition in Role Mapping, which would be one way of helping fight against spoofing as it would identify if duplicate MAC but different fingerprint. As Tim mentioned, a database would also be helpful - for example an MDM or SQL DB to query. Problem with just checking fingerprint is that a printer is a printer, but without something to check against, it would be difficult to be 100% locked down. For wireless, you can enable IF-MAP, DHCP is also a simple way of profiling. Network scans are broken in 6.6.5 so make sure CPPM is recent, then you can leverage NMAP and SNMP data through scans and SPAN port.


#AirheadsMobile